Windows Server 2003 Managing Network Security

Sun, 23 Nov 2008 22:00:08 EST

Managing Network Security: To apply proper security strategies within a Windows Server 2003 network, both the Local Computer and Network need attention. At the local computer, security revolves around tasks: that is, what tasks can a locally logged-on user perform?

Typically, we think in terms of adding drivers, changing settings and installing programs as candidates for scrutiny at the local level. When it comes to securing the network at large, then the issues generally revolve around initial access, and then securing shared resources appropriately. With the exception of securing shared resources, use security templates to address these issues. Securing shared resources will be addressed later with the discussions of NTFS permissions and printer permission.

Getting Ready Questions
1. What are the types of security templates that come with Windows 2003?
2. Before applying a security template, what tool should be used to see the effect of the template on the target computer?
3. Which Windows operating systems have support for SUS natively?
4. How should Windows clients be configured for SUS?
5. What tool provides advanced monitoring and troubleshooting capabilities for the Kerberos authentication protocol?

Getting Ready Answers
1. Windows 2003 comes with templates for workstations and domain controllers, which are then "grouped" as default, secure or high secure templates.
2. Before applying a security template, the target computer should run the Security Configuration and Analysis MMC to determine the changes that the template will affect.
3. The client components for SUS are contained in Windows 2000 SP 3, Windows XP SP 1, in all Windows 2003 installations and as an msi file. For Windows 2000 SP 3 or later, no additional component installation is necessary. For earlier versions of Windows, clients can download the necessary components from the Microsoft public Web site, or the update can be distributed internally with a package created from the msi file and Group Policy.
4. The recommended way to configure SUS behavior for Windows 2000 and Windows XP clients is through Group Policy. For earlier Windows operating systems, Group Policy will not be effective. For Windows NT, Microsoft recommends using the System Policy editor. For all down-level clients, registry edits can be used, even while being generally discouraged by Microsoft. The registry settings are stored in HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU.
5. Kerbtray allows viewing of the ticket-granting process, and is an advanced tool for network support.

Implement Secure Network Administration Procedures:Microsoft ships security templates with Windows 2003 (as they did with Windows 2000) to provide a starting point for securing servers and workstations. The graphic an MMC with the Security Templates snap-in and the templates that come with Windows 2003. Note that there are templates for workstations and domain controllers, which are then "grouped" as default, secure or high secure templates. The set of templates that come with Windows has changed from 2000 to 2003, but the underlying concepts for use remain the same.

In addition to these, Windows 2003 introduces two new templates. The setup security template is created upon installation of the operating system and can be used to restore the security settings for the computer, or can be imported into Group Policy. It represents the default security settings that are applied during installation of the operating system, including the file permissions for the root of the system drive.

It can be used on servers and client computers; it cannot be applied to domain controllers. Microsoft suggests that Setup security.inf should never be applied using Group Policy. It contains a large amount of data and can seriously degrade performance if it is applied through Group Policy, because policy is periodically refreshed and a large amount of data would move through the domain. The rootsec template can be used to reset the security settings for the root volumes of the computer. By default, Rootsec.inf defines these permissions for the root of the system drive. This template can be used to reapply the root directory permissions if they are inadvertently changed, or the template can be modified to apply the same root permissions to other volumes.

Within each of the templates is a complete set of security settings, duplicating those found in the Local Security Policy, or in the Group Policy|Computer|Windows Settings|Security settings. Again, Microsoft provides the templates as a starting point for securing both the local computer and the network. The templates are actually found in %systemroot%\system32\security as .inf files.

Implement Security Baseline Settings and Audit Security Settings by Using Security Templates
All Windows 2003 installations use the Setup Security template by default. You can then apply the secure and high secure templates to increase the level of security. Microsoft recommends that you copy an existing template, and then modify the copied template to create your own custom settings. Templates are applied to multiple Windows 2003 computers by importing the appropriate template into a Group Policy and then linking that Group Policy with appropriate container in Active Directory. To secure the network, create a security policy that sets the minimum password length to 10 characters, requiring password complexity, with the minimum age setting of 45 days, and allow three unsuccessful logon attempts before account lockout. The policy then is importable into the Default Domain Controller Policy, so that all Domain Controllers would then enforce those settings across the entire network.

Similarly, Local Policies within a security template can be set to disallow the installation of unsigned drivers, or to deny the user the ability to change the system time. As with Account Policies, these policies are importable into Group Policy, which link with a container. These containers show the objects that represent which Windows 2003 computers received the security settings configured in the security template.

Microsoft provides another snap-in for their MMC, the Security Configuration and Analysis snap-in, to allow the administrator the opportunity to analyze the affect of the policy on the local computer prior to actual implementation. To use the Security Configuration and Analysis tool, we would open an MMC on the desired computer and add the snap-in. Once added, then we would open a new database and perform an analysis. The results of the analysis would show differences in the existing configuration and the template as a red "X". This gives us the ability to see the impact of our template on an existing machine before we actually make the changes. Reversing the effect of security templates is not an easy matter, and requires extensive documentation and a manual setting-by-setting process of restoration.

Use this method to implement a standard audit of domain controllers. Once the configuration is finished, import the template into the default Domain Controller Policy to apply the settings to all domain controllers. Auditing is ready for use by importing the security templates. For example, earlier we only allowed three unsuccessful logon attempts prior to account lockout. An audit policy is now ready to track the failure of account logon to verify that the account lockout has occurred after the three unsuccessful attempts. All audited events are "captured" in the Security log and examined with Event Viewer. which shows the Audit portion of a security template.

TRCB.com RSS Feed

Windows Server 2003 Managing Network Security